US7260847B2 - Antivirus scanning in a hard-linked environment - Google Patents

Antivirus scanning in a hard-linked environment Download PDF

Info

Publication number
US7260847B2
US7260847B2 US10/280,663 US28066302A US7260847B2 US 7260847 B2 US7260847 B2 US 7260847B2 US 28066302 A US28066302 A US 28066302A US 7260847 B2 US7260847 B2 US 7260847B2
Authority
US
United States
Prior art keywords
file
computer
hard
readable medium
backpointer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US10/280,663
Other versions
US20040083381A1 (en
Inventor
William Sobel
Bruce McCorkendale
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CA Inc
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Priority to US10/280,663 priority Critical patent/US7260847B2/en
Assigned to SYMANTEC CORPORATION reassignment SYMANTEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCCORKENDALE, BRUCE, SOBEL, WILLIAM E.
Publication of US20040083381A1 publication Critical patent/US20040083381A1/en
Application granted granted Critical
Publication of US7260847B2 publication Critical patent/US7260847B2/en
Assigned to CA, INC. reassignment CA, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SYMANTEC CORPORATION
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Definitions

  • This invention pertains to the field of detecting malicious computer code in a computer file, particularly a file having multiple hard links (file names).
  • NTFS New Technology File System
  • NTFS is present in every NT and higher operating system manufactured by Microsoft Corporation.
  • the attributes of a file 2 within a computer 10 are stored in alternate data streams.
  • a file 2 is a composition of many streams.
  • any data stream can have multiple alternate data streams associated therewith.
  • NTFS 5.0 supports multiple hard links 1 .
  • a “hard link 1 ” is a pointer to the file 2 that comprises, at a minimum, the file name.
  • the hard link may comprise the full path name including the file name. Since there can be multiple hard links 1 , any file 2 can have multiple file names, even though there is but one physical version of the file 2 . Two or more of the file names can point to the same file 2 data, but be located in the same or different directories.
  • FIG. 1 shows an example in which there are three hard links 1 to file 2 . Modifying file via any one of the hard links 1 changes the underlying data pointed to by all of the hard links 1 .
  • NTFS considers all file names to be hard links 1 to the file in question, but most files 2 have just one hard link 1 associated with that file 2 .
  • An NTFS file 2 is deleted when all hard links 1 to it are removed, i.e., when the last hard link 1 is removed. This means that a first hard link 1 ( 1 ) could be created for file 2 in a first directory, a second hard link 1 ( 2 ) could be created for the file 2 in another directory, the first hard link 1 ( 1 ) could be deleted, and the second hard link 1 ( 2 ) would still exist.
  • hard links e.g., UNIX (in which they are called hard links) and OS2 (in which they are called shadows).
  • Antivirus scanners often make optimization decisions based upon the path or extension of a file 2 . For example, if an ostensibly temporary file having the extension .tmp is opened, the antivirus scanner may decline to scan the contents of the file 2 , because a .tmp file is not deemed by the antivirus scanner to be executable. However, if that .tmp file name is actually a hard link 1 ( 2 ) to an existing .exe file 2 , modifying the .tmp file actually modifies the .exe file as well. In this scenario, the antivirus scanner could be lulled into not scanning a file 2 for the presence of malicious code when it should be scanning the file 2 . This can result in computer 10 being harmed by the malicious code.
  • malware code means any computer code that enters the computer 10 without an authorized user's knowledge and/or without an authorized user's consent.
  • malicious code can include viruses, worms, and Trojan horses.
  • antivirus scanner is used in the broad sense, so that such scanner can detect all types of malicious code, including worms and Trojan horses as well as viruses.
  • An NTFS file 2 contains the number of hard links 1 to the file 2 , but it does not identify the hard links 1 any further. Thus, when a user accesses file 2 via the second hard link 1 ( 2 ), this user knows that there are two other hard links 1 ( 1 ) and 1 ( 3 ), but is not told what they are. The only way for the user to find the other hard links 1 ( 1 ) and 1 ( 3 ) is to note the serial number that is included in each NTFS file 2 , and then to do a search for all of the files 2 in the computer 10 matching that serial number. That is an extremely time consuming and cumbersome operation, and is the problem addressed by the present invention.
  • Bolosky et al. “Single Instance Storage in Windows 2000”, downloaded from the Internet on Oct. 11, 2002 at http://research.Microsoft.com/sn/Farsite/WSS2000.pdf, discloses the creation of backpointer tables in cases where a single file has multiple hard or symbolic links pointing to the file. Unlike the present invention, where the contents of file 2 do not change, an attempt to modify the contents of the target file in the reference results in a new version of the target file being created.
  • a method of the present invention comprises the steps of determining whether there is more than one hard link ( 1 ) to the file ( 2 ); and when there is more than one hard link ( 1 ), ascertaining the identities of all the hard links ( 1 ), and performing an antivirus scan on the file ( 2 ) based upon the hard link(s) ( 1 ) having the most restrictive scanning criteria of all the hard links ( 1 ), or upon the union of scanning criteria amongst all the hard links ( 1 ).
  • FIG. 1 is part of the prior art, inasmuch as it illustrates a conventional NTFS file system.
  • FIG. 2 is a block diagram illustrating an embodiment of the present invention.
  • FIG. 3 is a flow diagram illustrating the initialization of backpointer table 3 of the present invention.
  • FIG. 4 is a flow diagram illustrating operation of an embodiment of the present invention.
  • FIG. 5 is a flow diagram illustrating an integrity check feature of the present invention.
  • FIG. 2 illustrates apparatus that can be used to implement the present invention.
  • Hard link backpointer table 3 is associated with each file 2 having more than one hard link 1 .
  • backpointer table 3 is an alternate date stream.
  • table 3 can be any table, catalogue, or file.
  • An antivirus scanner module 4 has access to each file 2 on the computer 10 , and serves the function of performing scans of file 2 to detect the presence of malicious code contained within the file 2 .
  • a file system filter driver 5 has access to each file 2 and is coupled to antivirus scanner module 4 .
  • “coupled” is used in the broad sense, and means “directly coupled”, “indirectly coupled”, “in communication with”, “connected to”, “physically coupled”, “logically coupled”, etc.
  • Driver 5 is typically a computer program that is always running on the computer 10 and hooks to the operating system functionality, e.g., via APIs (Application Programming Interfaces).
  • An example of a suitable file system driver 5 is Symevent manufactured by Symantec Corporation of Cupertino, Calif.
  • a backpointer table construction module 6 has access to each file 2 and to the file's accompanying backpointer table 3 .
  • Modules 3 , 4 , 5 , and 6 can be implemented in hardware, firmware, and/or software, or any combination thereof, and are normally implemented in software.
  • FIG. 3 illustrates the initialization of the backpointer table 3 .
  • the method of FIG. 3 can be performed every time the computer 10 is initialized, i.e., when the user of computer 10 first implements the present invention thereon.
  • the method of FIG. 3 can be performed any time the user desires, or when there is reason to believe that backpointer table 3 may have become inconsistent with the file system. For example, this can occur when driver 5 determines that the file system was modified when driver 5 was disabled for a period of time.
  • step 31 construction module 6 asks whether there are any more files 2 to be subjected to the initialization routine. If not, the method ends at step 33 . If there are more files 2 to be processed, the method proceeds to step 34 , where construction module 6 selects the next file 2 to be processed. At step 35 , construction module 6 asks whether there is more than one hard link 1 to file 2 . This determination is made by construction module 6 examining the section of the file 2 that contains the number of hard links 1 . If this section divulges that there is just one hard link 1 , the method reverts to step 32 .
  • step 36 construction module 6 creates a backpointer table 3 , and links table 3 to file 2 .
  • Construction module 6 can create table 3 by means of determining the serial number of file 2 and searching through all the files 2 on the computer for entries having the same serial number. Each entry of table 3 should preferably contain the full path name for each hard link 1 . This is useful, because decisions made by antivirus scanner 4 might require knowledge of the directory path and/or extension. The method then reverts to step 32 .
  • Table 3 should be updated by construction module 6 each time a hard link 1 to file 2 is added, deleted, or renamed.
  • File system filter driver 5 (or a client of driver 5 ) can be programmed to monitor when a hard link 1 is added, deleted, or renamed; and inform construction module 6 accordingly.
  • FIG. 4 illustrates how the present invention is able to perform a more complete antivirus scan than methods of the prior art.
  • a file 2 is opened.
  • file system filter driver 5 notices that file 2 is opened. This may happen, e.g., because driver 5 has been programmed to activate whenever any file 2 on computer 10 is opened.
  • driver 5 determines whether there is more than one hard link 1 to file 2 . This determination can be made by means of driver 5 examining the section of file 2 that indicates the number of hard links 1 to file 2 . If there is just one hard link 1 , step 46 is entered, where driver 5 instructs antivirus scanner module 4 to scan file 2 in a normal fashion based upon criteria contained in the hard link 1 .
  • the criteria may be ascertained from just hard link 1 , or from hard link 1 in combination with other information.
  • the scanning criteria may be based simply upon the file name, or upon the file name extension (.tmp or .exe).
  • the scanning criteria may be based upon the extension in combination with information contained in the header of the file 2 .
  • step 43 discloses that there is more than one hard link 1 to the file 2
  • driver 5 examines (at step 44 ) table 3 to determine the identity of the hard link 1 or hard links 1 having the most (in relation to all the hard links 1 associated with that file 2 ) restrictive scanning criteria associated therewith. This determination is made on the basis of a set of preselected rules. For example, one such rule may be that a file 2 having an extension of .tmp does not have to be scanned by antivirus scanner 4 , whereas a file 2 having an extension .exe does have to be scanned. In an alternative embodiment, antivirus scanner 4 , rather than driver 5 , performs step 44 .
  • antivirus scanner 4 performs the scan based upon said most restrictive criteria, based upon instructions issued by driver 5 .
  • antivirus module 4 scans file 2 based upon the union of scanning criteria amongst all the hard links 1 .
  • the union of scanning criteria can be determined by antivirus scanner 4 or by driver 5 .
  • FIG. 5 illustrates a method by which the computer 10 user can perform an integrity check upon the contents of table 3 .
  • This integrity check can be performed periodically, e.g., weekly, or whenever the user desires, e.g., when the user suspects that table 3 may have been corrupted.
  • step 51 construction module 6 asks whether there are any more files 2 to be checked. If there aren't any, the method ends at step 53 . If there are files 2 still to be checked, the method proceeds to step 54 , where construction module 6 selects the next file 2 .
  • step 55 module 6 determines whether the stated (in the section of file 2 that gives the number of hard links 1 ) number of hard links 1 is equal to the number of entries in table 3 associated with that particular file 2 . If these numbers are the same, the method reverts to step 52 . If, on the other hand, these numbers are different, the method proceeds to step 56 , where module 6 updates table 3 . This updating can be performed in the same way that module 6 performs step 36 of FIG. 3 . Then the method again reverts to step 52 .
  • any search module associated with the computer 10 that searches for files 2 by file name or portion of file name can be modified to look for not just the normal items that the search module has been programmed to look for, but also the information contained in backpointer table 3 .
  • This can enhance the usability of the search module.
  • An example of such a search module is the search module known as Explorer, which is present on Windows operating systems. Say, for example, that the user asks Explorer to look for all files having extension .exe. If Explorer has been enhanced as described herein, Explorer will give the user citations to not just links from .exe but from other hard links 1 to the file 2 that don't have an extension of .exe.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Computer-implemented methods, apparati, and computer-readable media for detecting malicious computer code in a file (2) associated with a computer (10). A method of the present invention comprises the steps of determining whether there is more than one hard link (1) to the file (2); and when there is more than one hard link (1), ascertaining the identities of all the hard links (1), and performing an antivirus scan on the file (2) based upon the hard link(s) (1) having the most restrictive scanning criteria of all the hard links (1), or upon the union of scanning criteria amongst all the hard links (1).

Description

TECHNICAL FIELD
This invention pertains to the field of detecting malicious computer code in a computer file, particularly a file having multiple hard links (file names).
BACKGROUND ART
The invention will be illustrated in conjunction with NTFS (New Technology File System). NTFS is present in every NT and higher operating system manufactured by Microsoft Corporation. In NTFS, the attributes of a file 2 within a computer 10 (see FIG. 1) are stored in alternate data streams. A file 2 is a composition of many streams. In NTFS, any data stream can have multiple alternate data streams associated therewith.
NTFS 5.0 (and above) supports multiple hard links 1. A “hard link 1” is a pointer to the file 2 that comprises, at a minimum, the file name. The hard link may comprise the full path name including the file name. Since there can be multiple hard links 1, any file 2 can have multiple file names, even though there is but one physical version of the file 2. Two or more of the file names can point to the same file 2 data, but be located in the same or different directories. FIG. 1 shows an example in which there are three hard links 1 to file 2. Modifying file via any one of the hard links 1 changes the underlying data pointed to by all of the hard links 1.
NTFS considers all file names to be hard links 1 to the file in question, but most files 2 have just one hard link 1 associated with that file 2. An NTFS file 2 is deleted when all hard links 1 to it are removed, i.e., when the last hard link 1 is removed. This means that a first hard link 1 (1) could be created for file 2 in a first directory, a second hard link 1 (2) could be created for the file 2 in another directory, the first hard link 1 (1) could be deleted, and the second hard link 1 (2) would still exist.
Other operating systems also support hard links, e.g., UNIX (in which they are called hard links) and OS2 (in which they are called shadows).
Antivirus scanners often make optimization decisions based upon the path or extension of a file 2. For example, if an ostensibly temporary file having the extension .tmp is opened, the antivirus scanner may decline to scan the contents of the file 2, because a .tmp file is not deemed by the antivirus scanner to be executable. However, if that .tmp file name is actually a hard link 1 (2) to an existing .exe file 2, modifying the .tmp file actually modifies the .exe file as well. In this scenario, the antivirus scanner could be lulled into not scanning a file 2 for the presence of malicious code when it should be scanning the file 2. This can result in computer 10 being harmed by the malicious code. As used herein, “malicious code” means any computer code that enters the computer 10 without an authorized user's knowledge and/or without an authorized user's consent. Thus, “malicious code” can include viruses, worms, and Trojan horses. As used herein, the term “antivirus scanner” is used in the broad sense, so that such scanner can detect all types of malicious code, including worms and Trojan horses as well as viruses.
An NTFS file 2 contains the number of hard links 1 to the file 2, but it does not identify the hard links 1 any further. Thus, when a user accesses file 2 via the second hard link 1 (2), this user knows that there are two other hard links 1 (1) and 1 (3), but is not told what they are. The only way for the user to find the other hard links 1 (1) and 1 (3) is to note the serial number that is included in each NTFS file 2, and then to do a search for all of the files 2 in the computer 10 matching that serial number. That is an extremely time consuming and cumbersome operation, and is the problem addressed by the present invention.
Bolosky et al., “Single Instance Storage in Windows 2000”, downloaded from the Internet on Oct. 11, 2002 at http://research.Microsoft.com/sn/Farsite/WSS2000.pdf, discloses the creation of backpointer tables in cases where a single file has multiple hard or symbolic links pointing to the file. Unlike the present invention, where the contents of file 2 do not change, an attempt to modify the contents of the target file in the reference results in a new version of the target file being created.
DISCLOSURE OF INVENTION
Computer-implemented methods, apparati, and computer-readable media for detecting malicious computer code in a file (2) associated with a computer (10). A method of the present invention comprises the steps of determining whether there is more than one hard link (1) to the file (2); and when there is more than one hard link (1), ascertaining the identities of all the hard links (1), and performing an antivirus scan on the file (2) based upon the hard link(s) (1) having the most restrictive scanning criteria of all the hard links (1), or upon the union of scanning criteria amongst all the hard links (1).
BRIEF DESCRIPTION OF THE DRAWINGS
These and other more detailed and specific objects and features of the present invention are more fully disclosed in the following specification, reference being had to the accompanying drawings, in which:
FIG. 1 is part of the prior art, inasmuch as it illustrates a conventional NTFS file system.
FIG. 2 is a block diagram illustrating an embodiment of the present invention.
FIG. 3 is a flow diagram illustrating the initialization of backpointer table 3 of the present invention.
FIG. 4 is a flow diagram illustrating operation of an embodiment of the present invention.
FIG. 5 is a flow diagram illustrating an integrity check feature of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
FIG. 2 illustrates apparatus that can be used to implement the present invention. Hard link backpointer table 3 is associated with each file 2 having more than one hard link 1. In NTFS, backpointer table 3 is an alternate date stream. In other operating systems, table 3 can be any table, catalogue, or file. An antivirus scanner module 4 has access to each file 2 on the computer 10, and serves the function of performing scans of file 2 to detect the presence of malicious code contained within the file 2. A file system filter driver 5 has access to each file 2 and is coupled to antivirus scanner module 4. As used throughout this specification including claims, “coupled” is used in the broad sense, and means “directly coupled”, “indirectly coupled”, “in communication with”, “connected to”, “physically coupled”, “logically coupled”, etc. Driver 5 is typically a computer program that is always running on the computer 10 and hooks to the operating system functionality, e.g., via APIs (Application Programming Interfaces). An example of a suitable file system driver 5 is Symevent manufactured by Symantec Corporation of Cupertino, Calif.
A backpointer table construction module 6 has access to each file 2 and to the file's accompanying backpointer table 3. Modules 3, 4, 5, and 6 can be implemented in hardware, firmware, and/or software, or any combination thereof, and are normally implemented in software.
FIG. 3 illustrates the initialization of the backpointer table 3. The method of FIG. 3 can be performed every time the computer 10 is initialized, i.e., when the user of computer 10 first implements the present invention thereon. Alternatively, the method of FIG. 3 can be performed any time the user desires, or when there is reason to believe that backpointer table 3 may have become inconsistent with the file system. For example, this can occur when driver 5 determines that the file system was modified when driver 5 was disabled for a period of time.
The initialization of table 3 begins at step 31. At step 32, construction module 6 asks whether there are any more files 2 to be subjected to the initialization routine. If not, the method ends at step 33. If there are more files 2 to be processed, the method proceeds to step 34, where construction module 6 selects the next file 2 to be processed. At step 35, construction module 6 asks whether there is more than one hard link 1 to file 2. This determination is made by construction module 6 examining the section of the file 2 that contains the number of hard links 1. If this section divulges that there is just one hard link 1, the method reverts to step 32. If, on the other hand, there is more than one hard link 1, the method proceeds to step 36, where construction module 6 creates a backpointer table 3, and links table 3 to file 2. Construction module 6 can create table 3 by means of determining the serial number of file 2 and searching through all the files 2 on the computer for entries having the same serial number. Each entry of table 3 should preferably contain the full path name for each hard link 1. This is useful, because decisions made by antivirus scanner 4 might require knowledge of the directory path and/or extension. The method then reverts to step 32.
Table 3 should be updated by construction module 6 each time a hard link 1 to file 2 is added, deleted, or renamed. File system filter driver 5 (or a client of driver 5) can be programmed to monitor when a hard link 1 is added, deleted, or renamed; and inform construction module 6 accordingly.
FIG. 4 illustrates how the present invention is able to perform a more complete antivirus scan than methods of the prior art. At step 41, a file 2 is opened. At step 42, file system filter driver 5 notices that file 2 is opened. This may happen, e.g., because driver 5 has been programmed to activate whenever any file 2 on computer 10 is opened. At step 43, driver 5 determines whether there is more than one hard link 1 to file 2. This determination can be made by means of driver 5 examining the section of file 2 that indicates the number of hard links 1 to file 2. If there is just one hard link 1, step 46 is entered, where driver 5 instructs antivirus scanner module 4 to scan file 2 in a normal fashion based upon criteria contained in the hard link 1. The criteria may be ascertained from just hard link 1, or from hard link 1 in combination with other information. For example, the scanning criteria may be based simply upon the file name, or upon the file name extension (.tmp or .exe). Alternatively, the scanning criteria may be based upon the extension in combination with information contained in the header of the file 2.
If step 43 discloses that there is more than one hard link 1 to the file 2, driver 5 examines (at step 44) table 3 to determine the identity of the hard link 1 or hard links 1 having the most (in relation to all the hard links 1 associated with that file 2) restrictive scanning criteria associated therewith. This determination is made on the basis of a set of preselected rules. For example, one such rule may be that a file 2 having an extension of .tmp does not have to be scanned by antivirus scanner 4, whereas a file 2 having an extension .exe does have to be scanned. In an alternative embodiment, antivirus scanner 4, rather than driver 5, performs step 44.
Finally, at step 45, antivirus scanner 4 performs the scan based upon said most restrictive criteria, based upon instructions issued by driver 5.
In an alternative embodiment, instead of performing steps 44 and 45, when the answer to the question posed in step 43 is “yes”, antivirus module 4 scans file 2 based upon the union of scanning criteria amongst all the hard links 1. The union of scanning criteria can be determined by antivirus scanner 4 or by driver 5.
FIG. 5 illustrates a method by which the computer 10 user can perform an integrity check upon the contents of table 3. This integrity check can be performed periodically, e.g., weekly, or whenever the user desires, e.g., when the user suspects that table 3 may have been corrupted.
The method begins at step 51. At step 52, construction module 6 asks whether there are any more files 2 to be checked. If there aren't any, the method ends at step 53. If there are files 2 still to be checked, the method proceeds to step 54, where construction module 6 selects the next file 2. At step 55, module 6 determines whether the stated (in the section of file 2 that gives the number of hard links 1) number of hard links 1 is equal to the number of entries in table 3 associated with that particular file 2. If these numbers are the same, the method reverts to step 52. If, on the other hand, these numbers are different, the method proceeds to step 56, where module 6 updates table 3. This updating can be performed in the same way that module 6 performs step 36 of FIG. 3. Then the method again reverts to step 52.
In an alternative embodiment of the present invention, any search module associated with the computer 10 that searches for files 2 by file name or portion of file name can be modified to look for not just the normal items that the search module has been programmed to look for, but also the information contained in backpointer table 3. This can enhance the usability of the search module. An example of such a search module is the search module known as Explorer, which is present on Windows operating systems. Say, for example, that the user asks Explorer to look for all files having extension .exe. If Explorer has been enhanced as described herein, Explorer will give the user citations to not just links from .exe but from other hard links 1 to the file 2 that don't have an extension of .exe.
The above description is included to illustrate the operation of the preferred embodiments and is not meant to limit the scope of the invention. The scope of the invention is to be limited only by the following claims. From the above discussion, many variations will be apparent to one skilled in the art that would yet be encompassed by the spirit and scope of the present invention.

Claims (36)

1. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:
determining whether there is more than one hard link to the file; and
when there is more than one hard link:
ascertaining the identities of all the hard links; and
performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links to detect malicious computer code.
2. The method of claim 1 wherein each hard link comprises a file name.
3. The method of claim 1 wherein each hard link comprises a full path name including a file name.
4. The method of claim 1 wherein the scanning criteria are based upon a file name in combination with other information.
5. The method of claim 4 wherein said other information comprises information contained in a header of the file.
6. The method of claim 1 wherein the ascertaining comprises accessing a backpointer table associated with the file.
7. The method of claim 6 wherein the backpointer table comprises full path names for all hard links to the file.
8. The method of claim 6 wherein the backpointer table is stored as an alternate data stream associated with the file.
9. The method of claim 6 wherein the backpointer table has been constructed by a backpointer table construction module.
10. The method of claim 6 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
11. The method of claim 6 wherein a search module associated with the computer is modified to access the backpointer table.
12. The method of claim 6 wherein the backpointer table is created when the computer is initialized.
13. The method of claim 6 wherein the backpointer table is re-initialized when there is reason to believe that the backpointer table may have become inconsistent.
14. The method of claim 6 further comprising the step of:
performing an integrity check on the backpointer table.
15. The method of claim 14 wherein the step of performing the integrity check comprises the substeps of:
for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
when the first value is unequal to the second value, updating the backpointer table.
16. The method of claim 1 wherein the determining step is performed every time the file is opened.
17. The method of claim 1 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.
18. A computer-readable medium containing computer program instructions for detecting malicious computer code in a file associated with a computer, comprising:
a backpointer table construction module coupled to the file, said module adapted to construct a backpointer table for the file when the file has more than one hard link;
an antivirus scanner coupled to the file and adapted to scan the file for the presence of malicious computer code; and
a file system filter driver coupled to the file and to the antivirus scanner, said driver instructing the antivirus scanner to examine the backpointer table when the file has more than one hard link.
19. A computer-readable medium containing computer program instructions for detecting malicious computer code in a file associated with a computer, said instructions performing the steps of:
determining whether there is more than one hard link to the file; and when there is more than one hard link:
ascertaining the identities of all the hard links; and
performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links to detect malicious computer code.
20. The computer-readable medium of claim 19 wherein each hard link comprises a file name.
21. The computer-readable medium of claim 19 wherein each hard link comprises a fUll path name including a file name.
22. The computer-readable medium of claim 19 wherein the scanning criteria are based upon a file name in combination with other information.
23. The computer-readable medium of claim 22 wherein said other information comprises information contained in a header of the file.
24. The computer-readable medium of claim 19 wherein the ascertaining comprises accessing a backpointer table associated with the file.
25. The computer-readable medium of claim 24 wherein the backpointer table comprises full path names for all hard links to the file.
26. The computer-readable medium of claim 24 wherein the backpointer table is stored as an alternate data stream associated with the file.
27. The computer-readable medium of claim 24 wherein the backpointer table has been constructed by a backpointer table construction module.
28. The computer-readable medium of claim 24 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
29. The computer-readable medium of claim 24 wherein a search module associated with the computer is modified to access the backpointer table.
30. The computer-readable medium of claim 24 wherein the backpointer table is created when the computer is initialized.
31. The computer-readable medium of claim 24 wherein said instructions further comprise the step of:
performing an integrity check on the backpointer table.
32. The computer-readable medium of claim 31 wherein the step of performing the integrity check comprises the substeps of:
for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
when the first value is unequal to the second value, updating the backpointer table.
33. The computer-readable medium of claim 19 wherein the determining step is performed every time the file is opened.
34. The computer-readable medium of claim 19 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.
35. A computer-implemented method for detecting malicious computer code in a computer, the method comprising:
identifying a file on a storage device associated with the computer, the file having a plurality of hard links, each hard link associated with a file name;
determining a plurality of file names associated with the plurality of hard links;
ascertaining a set of scanning criteria responsive at least in part to the plurality of file names, where ascertaining the set of scanning criteria comprises:
ascertaining scanning criteria for each of the plurality of file names, and
forming the set of scanning criteria from the most restrictive scanning criteria of the scanning criteria for each of the plurality of file names; and
scanning the file responsive to the set of scanning criteria to detect the presence of malicious computer code in the file.
36. The method of claim 35, wherein a file name of the plurality of file names comprises a file name extension, and wherein ascertaining scanning criteria for each of the plurality of file names ascertains the criteria responsive to the file name extension.
US10/280,663 2002-10-24 2002-10-24 Antivirus scanning in a hard-linked environment Active 2025-03-17 US7260847B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/280,663 US7260847B2 (en) 2002-10-24 2002-10-24 Antivirus scanning in a hard-linked environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/280,663 US7260847B2 (en) 2002-10-24 2002-10-24 Antivirus scanning in a hard-linked environment

Publications (2)

Publication Number Publication Date
US20040083381A1 US20040083381A1 (en) 2004-04-29
US7260847B2 true US7260847B2 (en) 2007-08-21

Family

ID=32106991

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/280,663 Active 2025-03-17 US7260847B2 (en) 2002-10-24 2002-10-24 Antivirus scanning in a hard-linked environment

Country Status (1)

Country Link
US (1) US7260847B2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283835A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to verify data received, at a server system, for access and/or publication via the server system
US20050283836A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to detect externally-referenced malicious data for access and/or publication via a computer system
US20070039052A1 (en) * 2005-08-12 2007-02-15 Computer Associates Think, Inc. System and method for scanning handles
US20090132706A1 (en) * 2007-11-19 2009-05-21 Mastercard International, Inc. Interpersonal Communication Enhancer
US20090138390A1 (en) * 2007-11-26 2009-05-28 Mastercard International, Inc. Financial Transaction Message Exchange System
US20090171830A1 (en) * 2007-12-27 2009-07-02 Mastercard International, Inc. Payment Transaction System
US20100088759A1 (en) * 2008-10-03 2010-04-08 Microsoft Corporation Device-side inline pattern matching and policy enforcement
US20120189201A1 (en) * 2007-11-24 2012-07-26 Piper Scott A Efficient histogram storage
US9501642B2 (en) 2004-06-21 2016-11-22 Paypal, Inc. Render engine, and method of using the same, to verify data for access and/or publication via a computer system
TWI622894B (en) * 2016-12-13 2018-05-01 宏碁股份有限公司 Electronic device and method for detecting malicious file

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376947B2 (en) * 2004-02-23 2008-05-20 Research In Motion Limited Computer system and method for secure installation and operation of software
EP1684151A1 (en) * 2005-01-20 2006-07-26 Grant Rothwell William Computer protection against malware affection
US7814077B2 (en) * 2007-04-03 2010-10-12 International Business Machines Corporation Restoring a source file referenced by multiple file names to a restore file
US8667591B1 (en) * 2008-06-26 2014-03-04 Emc Corporation Commonality factoring remediation
GB2469323B (en) * 2009-04-09 2014-01-01 F Secure Oyj Providing information to a security application
WO2013183083A1 (en) * 2012-06-06 2013-12-12 Hitachi, Ltd. Storage system and storage system management method
US9003533B1 (en) * 2012-09-07 2015-04-07 Symantec Corporation Systems and methods for detecting malware
US9117077B2 (en) * 2013-09-27 2015-08-25 Bitdefender IPR Management Ltd. Systems and methods for using a reputation indicator to facilitate malware scanning
CN104182519B (en) * 2014-08-25 2018-03-02 百度在线网络技术(北京)有限公司 A kind of file scanning method and device

Citations (78)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0636977A2 (en) 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
US5452442A (en) 1993-01-19 1995-09-19 International Business Machines Corporation Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
US5495607A (en) 1993-11-15 1996-02-27 Conner Peripherals, Inc. Network management system having virtual catalog overview of files distributively stored across network domain
US5572590A (en) 1994-04-12 1996-11-05 International Business Machines Corporation Discrimination of malicious changes to digital information using multiple signatures
US5675710A (en) 1995-06-07 1997-10-07 Lucent Technologies, Inc. Method and apparatus for training a text classifier
US5694569A (en) 1993-11-19 1997-12-02 Fischer; Addison M. Method for protecting a volatile file using a single hash
US5826249A (en) 1990-08-03 1998-10-20 E.I. Du Pont De Nemours And Company Historical database training method for neural networks
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US5832527A (en) * 1993-09-08 1998-11-03 Fujitsu Limited File management system incorporating soft link data to access stored objects
US5854916A (en) 1995-09-28 1998-12-29 Symantec Corporation State-based cache for antivirus software
US5884033A (en) 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
WO1999015966A1 (en) 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses
US5944821A (en) 1996-07-11 1999-08-31 Compaq Computer Corporation Secure software registration and integrity assessment in a computer system
US5974549A (en) 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6006242A (en) 1996-04-05 1999-12-21 Bankers Systems, Inc. Apparatus and method for dynamically creating a document
US6021510A (en) 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US6023723A (en) 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms
US6052709A (en) 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
US6072942A (en) 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6088803A (en) 1997-12-30 2000-07-11 Intel Corporation System for virus-checking network data during download to a client device
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6094731A (en) 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
US6125459A (en) 1997-01-24 2000-09-26 International Business Machines Company Information storing method, information storing unit, and disk drive
US6161130A (en) 1998-06-23 2000-12-12 Microsoft Corporation Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set
US6253169B1 (en) 1998-05-28 2001-06-26 International Business Machines Corporation Method for improvement accuracy of decision tree based text categorization
US6298351B1 (en) 1997-04-11 2001-10-02 International Business Machines Corporation Modifying an unreliable training set for supervised classification
US6347310B1 (en) 1998-05-11 2002-02-12 Torrent Systems, Inc. Computer system and process for training of analytical models using large data sets
US20020035693A1 (en) 1998-03-02 2002-03-21 Eyres Kevin W. Modified license key entry for pre-installation of software
US20020038308A1 (en) 1999-05-27 2002-03-28 Michael Cappi System and method for creating a virtual data warehouse
US6370526B1 (en) 1999-05-18 2002-04-09 International Business Machines Corporation Self-adaptive method and system for providing a user-preferred ranking order of object sets
US20020046207A1 (en) 2000-06-30 2002-04-18 Seiko Epson Corporation Information distribution system, information distribution method, and computer program for implementing the method
US6397200B1 (en) 1999-03-18 2002-05-28 The United States Of America As Represented By The Secretary Of The Navy Data reduction system for improving classifier performance
US6397215B1 (en) 1999-10-29 2002-05-28 International Business Machines Corporation Method and system for automatic comparison of text classifications
US6401122B1 (en) 1996-07-19 2002-06-04 Fujitsu Limited Communication management apparatus
US20020073046A1 (en) 1999-07-30 2002-06-13 David Sancho Enrique System and method for secure network purchasing
US20020087649A1 (en) 2000-03-16 2002-07-04 Horvitz Eric J. Bounded-deferral policies for reducing the disruptiveness of notifications
US6421709B1 (en) 1997-12-22 2002-07-16 Accepted Marketing, Inc. E-mail filter and method thereof
US6424960B1 (en) 1999-10-14 2002-07-23 The Salk Institute For Biological Studies Unsupervised adaptation and classification of multiple classes and sources in blind signal separation
US6442606B1 (en) 1999-08-12 2002-08-27 Inktomi Corporation Method and apparatus for identifying spoof documents
US6456991B1 (en) 1999-09-01 2002-09-24 Hrl Laboratories, Llc Classification method and apparatus based on boosting and pruning of multiple classifiers
US20020138525A1 (en) 2000-07-31 2002-09-26 Eliyon Technologies Corporation Computer method and apparatus for determining content types of web pages
US20020147694A1 (en) 2001-01-31 2002-10-10 Dempsey Derek M. Retraining trainable data classifiers
US20020147782A1 (en) 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
US20020178375A1 (en) 2001-01-31 2002-11-28 Harris Corporation Method and system for protecting against malicious mobile code
US20020194488A1 (en) 2001-06-19 2002-12-19 Cormack Christopher J. Method and apparatus for authenticating registry information
US20020194489A1 (en) 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20020199194A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US6502082B1 (en) 1999-06-01 2002-12-31 Microsoft Corp Modality fusion for object tracking with training system and method
US6505167B1 (en) 1999-04-20 2003-01-07 Microsoft Corp. Systems and methods for directing automated services for messaging and scheduling
US20030023875A1 (en) 2001-07-26 2003-01-30 Hursey Neil John Detecting e-mail propagated malware
US20030033587A1 (en) 2001-09-05 2003-02-13 Bruce Ferguson System and method for on-line training of a non-linear model for use in electronic commerce
US20030061287A1 (en) 2001-09-26 2003-03-27 Chee Yu Method and system for delivering files in digital file marketplace
US20030065926A1 (en) 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US6546416B1 (en) 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US20030110395A1 (en) 2001-12-10 2003-06-12 Presotto David Leo Controlled network partitioning using firedoors
US20030110393A1 (en) 2001-12-12 2003-06-12 International Business Machines Corporation Intrusion detection method and signature table
US20030110280A1 (en) 2001-12-10 2003-06-12 Hinchliffe Alexander James Updating data from a source computer to groups of destination computers
US20030115458A1 (en) 2001-12-19 2003-06-19 Dongho Song Invisable file technology for recovering or protecting a computer file system
US20030115479A1 (en) 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030154394A1 (en) 2002-02-13 2003-08-14 Levin Lawrence R. Computer virus control
US20030167402A1 (en) 2001-08-16 2003-09-04 Stolfo Salvatore J. System and methods for detecting malicious email transmission
US20030233352A1 (en) 2002-03-21 2003-12-18 Baker Andrey George Method and apparatus for screening media
US20040015554A1 (en) 2002-07-16 2004-01-22 Brian Wilson Active e-mail filter with challenge-response
US20040039921A1 (en) 2000-10-17 2004-02-26 Shyne-Song Chuang Method and system for detecting rogue software
US6721721B1 (en) 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
EP1408393A2 (en) 2002-10-07 2004-04-14 Symantec Corporation Selective detection of malicious computer code
US20040103310A1 (en) 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US6751789B1 (en) 1997-12-12 2004-06-15 International Business Machines Corporation Method and system for periodic trace sampling for real-time generation of segments of call stack trees augmented with call stack position determination
US20040117401A1 (en) 2002-12-17 2004-06-17 Hitachi, Ltd. Information processing system
US20040117641A1 (en) 2002-12-17 2004-06-17 Mark Kennedy Blocking replication of e-mail worms
US6772346B1 (en) 1999-07-16 2004-08-03 International Business Machines Corporation System and method for managing files in a distributed system using filtering
US20040220975A1 (en) 2003-02-21 2004-11-04 Hypertrust Nv Additional hash functions in content-based addressing
US6842861B1 (en) 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US6886099B1 (en) 2000-09-12 2005-04-26 Networks Associates Technology, Inc. Computer virus detection
US6944555B2 (en) 1994-12-30 2005-09-13 Power Measurement Ltd. Communications architecture for intelligent electronic devices
US6952779B1 (en) 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US6973578B1 (en) * 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US7024403B2 (en) * 2001-04-27 2006-04-04 Veritas Operating Corporation Filter driver for identifying disk files by analysis of content

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US609471A (en) * 1898-08-23 Chainless bicycle-gearing
EP0701718A4 (en) * 1993-06-02 2000-03-29 Verifone Inc System and method for revaluation of stored tokens in ic cards
US5721781A (en) * 1995-09-13 1998-02-24 Microsoft Corporation Authentication system and method for smart card transactions
US5923884A (en) * 1996-08-30 1999-07-13 Gemplus S.C.A. System and method for loading applications onto a smart card
WO1998043212A1 (en) * 1997-03-24 1998-10-01 Visa International Service Association A system and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card
US6219439B1 (en) * 1998-07-09 2001-04-17 Paul M. Burger Biometric authentication system
US6567915B1 (en) * 1998-10-23 2003-05-20 Microsoft Corporation Integrated circuit card with identity authentication table and authorization tables defining access rights based on Boolean expressions of authenticated identities
US6633984B2 (en) * 1999-01-22 2003-10-14 Sun Microsystems, Inc. Techniques for permitting access across a context barrier on a small footprint device using an entry point object

Patent Citations (80)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826249A (en) 1990-08-03 1998-10-20 E.I. Du Pont De Nemours And Company Historical database training method for neural networks
US5452442A (en) 1993-01-19 1995-09-19 International Business Machines Corporation Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
US5398196A (en) 1993-07-29 1995-03-14 Chambers; David A. Method and apparatus for detection of computer viruses
EP0636977A2 (en) 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
US5832527A (en) * 1993-09-08 1998-11-03 Fujitsu Limited File management system incorporating soft link data to access stored objects
US5495607A (en) 1993-11-15 1996-02-27 Conner Peripherals, Inc. Network management system having virtual catalog overview of files distributively stored across network domain
US5694569A (en) 1993-11-19 1997-12-02 Fischer; Addison M. Method for protecting a volatile file using a single hash
US5572590A (en) 1994-04-12 1996-11-05 International Business Machines Corporation Discrimination of malicious changes to digital information using multiple signatures
US6944555B2 (en) 1994-12-30 2005-09-13 Power Measurement Ltd. Communications architecture for intelligent electronic devices
US5675710A (en) 1995-06-07 1997-10-07 Lucent Technologies, Inc. Method and apparatus for training a text classifier
US5854916A (en) 1995-09-28 1998-12-29 Symantec Corporation State-based cache for antivirus software
US6006242A (en) 1996-04-05 1999-12-21 Bankers Systems, Inc. Apparatus and method for dynamically creating a document
US5884033A (en) 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
US5944821A (en) 1996-07-11 1999-08-31 Compaq Computer Corporation Secure software registration and integrity assessment in a computer system
US6401122B1 (en) 1996-07-19 2002-06-04 Fujitsu Limited Communication management apparatus
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US6072942A (en) 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6125459A (en) 1997-01-24 2000-09-26 International Business Machines Company Information storing method, information storing unit, and disk drive
US5974549A (en) 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6298351B1 (en) 1997-04-11 2001-10-02 International Business Machines Corporation Modifying an unreliable training set for supervised classification
WO1999015966A1 (en) 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses
US6021510A (en) 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US6094731A (en) 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
US6751789B1 (en) 1997-12-12 2004-06-15 International Business Machines Corporation Method and system for periodic trace sampling for real-time generation of segments of call stack trees augmented with call stack position determination
US6023723A (en) 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms
US6421709B1 (en) 1997-12-22 2002-07-16 Accepted Marketing, Inc. E-mail filter and method thereof
US6052709A (en) 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
US6088803A (en) 1997-12-30 2000-07-11 Intel Corporation System for virus-checking network data during download to a client device
US20020035693A1 (en) 1998-03-02 2002-03-21 Eyres Kevin W. Modified license key entry for pre-installation of software
US6347310B1 (en) 1998-05-11 2002-02-12 Torrent Systems, Inc. Computer system and process for training of analytical models using large data sets
US6253169B1 (en) 1998-05-28 2001-06-26 International Business Machines Corporation Method for improvement accuracy of decision tree based text categorization
US6161130A (en) 1998-06-23 2000-12-12 Microsoft Corporation Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set
US6546416B1 (en) 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US6397200B1 (en) 1999-03-18 2002-05-28 The United States Of America As Represented By The Secretary Of The Navy Data reduction system for improving classifier performance
US6505167B1 (en) 1999-04-20 2003-01-07 Microsoft Corp. Systems and methods for directing automated services for messaging and scheduling
US6370526B1 (en) 1999-05-18 2002-04-09 International Business Machines Corporation Self-adaptive method and system for providing a user-preferred ranking order of object sets
US20020038308A1 (en) 1999-05-27 2002-03-28 Michael Cappi System and method for creating a virtual data warehouse
US6502082B1 (en) 1999-06-01 2002-12-31 Microsoft Corp Modality fusion for object tracking with training system and method
US6772346B1 (en) 1999-07-16 2004-08-03 International Business Machines Corporation System and method for managing files in a distributed system using filtering
US20020073046A1 (en) 1999-07-30 2002-06-13 David Sancho Enrique System and method for secure network purchasing
US6442606B1 (en) 1999-08-12 2002-08-27 Inktomi Corporation Method and apparatus for identifying spoof documents
US6456991B1 (en) 1999-09-01 2002-09-24 Hrl Laboratories, Llc Classification method and apparatus based on boosting and pruning of multiple classifiers
US6424960B1 (en) 1999-10-14 2002-07-23 The Salk Institute For Biological Studies Unsupervised adaptation and classification of multiple classes and sources in blind signal separation
US6397215B1 (en) 1999-10-29 2002-05-28 International Business Machines Corporation Method and system for automatic comparison of text classifications
US20020199194A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US20020199186A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US20020087649A1 (en) 2000-03-16 2002-07-04 Horvitz Eric J. Bounded-deferral policies for reducing the disruptiveness of notifications
US6842861B1 (en) 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US6973578B1 (en) * 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US6721721B1 (en) 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
US20020046207A1 (en) 2000-06-30 2002-04-18 Seiko Epson Corporation Information distribution system, information distribution method, and computer program for implementing the method
US20020138525A1 (en) 2000-07-31 2002-09-26 Eliyon Technologies Corporation Computer method and apparatus for determining content types of web pages
US6886099B1 (en) 2000-09-12 2005-04-26 Networks Associates Technology, Inc. Computer virus detection
US20040039921A1 (en) 2000-10-17 2004-02-26 Shyne-Song Chuang Method and system for detecting rogue software
US20020178375A1 (en) 2001-01-31 2002-11-28 Harris Corporation Method and system for protecting against malicious mobile code
US20020147694A1 (en) 2001-01-31 2002-10-10 Dempsey Derek M. Retraining trainable data classifiers
US20020147782A1 (en) 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
US7024403B2 (en) * 2001-04-27 2006-04-04 Veritas Operating Corporation Filter driver for identifying disk files by analysis of content
US20020194489A1 (en) 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20020194488A1 (en) 2001-06-19 2002-12-19 Cormack Christopher J. Method and apparatus for authenticating registry information
US20030023875A1 (en) 2001-07-26 2003-01-30 Hursey Neil John Detecting e-mail propagated malware
US20030065926A1 (en) 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US20030167402A1 (en) 2001-08-16 2003-09-04 Stolfo Salvatore J. System and methods for detecting malicious email transmission
US20030033587A1 (en) 2001-09-05 2003-02-13 Bruce Ferguson System and method for on-line training of a non-linear model for use in electronic commerce
US20030061287A1 (en) 2001-09-26 2003-03-27 Chee Yu Method and system for delivering files in digital file marketplace
US20030110280A1 (en) 2001-12-10 2003-06-12 Hinchliffe Alexander James Updating data from a source computer to groups of destination computers
US20030110395A1 (en) 2001-12-10 2003-06-12 Presotto David Leo Controlled network partitioning using firedoors
US20030110393A1 (en) 2001-12-12 2003-06-12 International Business Machines Corporation Intrusion detection method and signature table
US20030115479A1 (en) 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030115458A1 (en) 2001-12-19 2003-06-19 Dongho Song Invisable file technology for recovering or protecting a computer file system
US20030154394A1 (en) 2002-02-13 2003-08-14 Levin Lawrence R. Computer virus control
US20030233352A1 (en) 2002-03-21 2003-12-18 Baker Andrey George Method and apparatus for screening media
US20040015554A1 (en) 2002-07-16 2004-01-22 Brian Wilson Active e-mail filter with challenge-response
US6952779B1 (en) 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
EP1408393A2 (en) 2002-10-07 2004-04-14 Symantec Corporation Selective detection of malicious computer code
US20040103310A1 (en) 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US20040117641A1 (en) 2002-12-17 2004-06-17 Mark Kennedy Blocking replication of e-mail worms
US20040117401A1 (en) 2002-12-17 2004-06-17 Hitachi, Ltd. Information processing system
US20040220975A1 (en) 2003-02-21 2004-11-04 Hypertrust Nv Additional hash functions in content-based addressing

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"Enterprise Protection Strategy" [online] Trend Micro Inc. [retrieved Dec. 3, 2002] Retrieved from the Internet: <URL: http://www.trendmicro.com/en/products/eps/features.htm>. Tokyo, Japan.
"How to Test Outbreak Commander", : Trend Micro Inc., Aug. 2002, pp. 1-13, Cupertino, CA.
Bolosky et al., "Single Instance Storage in Windows 2000", downloaded from the Internet on Oct. 11, 2002 at http://research.Microsoft.com/sn/Farsite/WSS2000.pdf.
Bontchev, Vesselin, "Possible Macro Virus Attacks and How to Prevent Them", Computers & Security, vol. 15, No. 7, pp. 595-626, 1996, Reykjavik, Iceland.
Burchell, Jonathan, "NetShield 1.5", Virus Bulletin, Oxfordshire, England, Aug. 1994, pp. 21-23, XP 000617453.
Morar, J. E. and Chess, D. M., "Can Cryptography Prevent Computer Viruses?", Virus Bulletin Conference 2000, Sep. 2000, pp. 127-138, Virus Bulletin Ltd., Oxfordshire, England.
Parkhouse, Jayne, "Pelican SafeTNet 2.0" [online], Jun. 2000, SC Magazine Product Review, [retrieved on Dec. 1, 2003]. Retrieved from the Internet: <URL: http://www.scmagazine.com/scmagazine/standalone/pelican/sc<SUB>-</SUB>pelican.html.
Wikipedia.org web pages [online], Wikipedia, [retrieved Mar. 17, 2003] Retrieved from the Internet: <ULR: http://www.wikipedia.org/w/wiki.phintl?title=machine learning and printable=yes>. U.S.A.

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10891376B2 (en) 2004-06-21 2021-01-12 Paypal, Inc. Render engine, and method of using the same, to verify data for access and/or publication via a computer system
US7971245B2 (en) * 2004-06-21 2011-06-28 Ebay Inc. Method and system to detect externally-referenced malicious data for access and/or publication via a computer system
US7526810B2 (en) 2004-06-21 2009-04-28 Ebay Inc. Method and system to verify data received, at a server system, for access and/or publication via the server system
US9734331B2 (en) 2004-06-21 2017-08-15 Paypal, Inc. Render engine, and method of using the same, to verify data for access and/or publication via a computer system
US20050283835A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to verify data received, at a server system, for access and/or publication via the server system
US20050283836A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to detect externally-referenced malicious data for access and/or publication via a computer system
US9501642B2 (en) 2004-06-21 2016-11-22 Paypal, Inc. Render engine, and method of using the same, to verify data for access and/or publication via a computer system
US8032938B2 (en) 2004-06-21 2011-10-04 Ebay Inc. Method and system to verify data received, at a server system, for access and/or publication via the server system
US20070039052A1 (en) * 2005-08-12 2007-02-15 Computer Associates Think, Inc. System and method for scanning handles
US8453242B2 (en) * 2005-08-12 2013-05-28 Ca, Inc. System and method for scanning handles
US20090132706A1 (en) * 2007-11-19 2009-05-21 Mastercard International, Inc. Interpersonal Communication Enhancer
US8756282B2 (en) 2007-11-19 2014-06-17 Mastercard International Incorporated Interpersonal communication enhancer
US20120189201A1 (en) * 2007-11-24 2012-07-26 Piper Scott A Efficient histogram storage
US8452093B2 (en) * 2007-11-24 2013-05-28 International Business Machines Corporation Efficient histogram storage
US20090138390A1 (en) * 2007-11-26 2009-05-28 Mastercard International, Inc. Financial Transaction Message Exchange System
US20090171830A1 (en) * 2007-12-27 2009-07-02 Mastercard International, Inc. Payment Transaction System
US8091115B2 (en) 2008-10-03 2012-01-03 Microsoft Corporation Device-side inline pattern matching and policy enforcement
US20100088759A1 (en) * 2008-10-03 2010-04-08 Microsoft Corporation Device-side inline pattern matching and policy enforcement
TWI622894B (en) * 2016-12-13 2018-05-01 宏碁股份有限公司 Electronic device and method for detecting malicious file
US10579798B2 (en) 2016-12-13 2020-03-03 Acer Cyber Security Incorporated Electronic device and method for detecting malicious file

Also Published As

Publication number Publication date
US20040083381A1 (en) 2004-04-29

Similar Documents

Publication Publication Date Title
US7260847B2 (en) Antivirus scanning in a hard-linked environment
US7882561B2 (en) System and method of caching decisions on when to scan for malware
KR101201118B1 (en) System and method of aggregating the knowledge base of antivirus software applications
US8312546B2 (en) Systems, apparatus, and methods for detecting malware
US7841006B2 (en) Discovery of kernel rootkits by detecting hidden information
US7458099B1 (en) Selective detection of malicious computer code
US8607342B1 (en) Evaluation of incremental backup copies for presence of malicious codes in computer systems
KR101693370B1 (en) Fuzzy whitelisting anti-malware systems and methods
US7478431B1 (en) Heuristic detection of computer viruses
RU2468426C2 (en) File conversion in restricted process
US8528087B2 (en) Methods for combating malicious software
US6577920B1 (en) Computer virus screening
US5948104A (en) System and method for automated anti-viral file update
US20030097591A1 (en) System and method for protecting computer users from web sites hosting computer viruses
US20030115458A1 (en) Invisable file technology for recovering or protecting a computer file system
EP1751649B1 (en) Systems and method for computer security
US20070078915A1 (en) Discovery of kernel rootkits with memory scan
US8126866B1 (en) Identification of possible scumware sites by a search engine
US7934229B1 (en) Generating options for repairing a computer infected with malicious software
JP2007536643A (en) Web server for multi-version web documents
US7594272B1 (en) Detecting malicious software through file group behavior
US20070203884A1 (en) System and method for obtaining file information and data locations
RU2617923C2 (en) System and method for anti-virus scanning setting
US8381300B2 (en) Offline extraction of configuration data
US7284273B1 (en) Fuzzy scanning system and method

Legal Events

Date Code Title Description
AS Assignment

Owner name: SYMANTEC CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SOBEL, WILLIAM E.;MCCORKENDALE, BRUCE;REEL/FRAME:013432/0001

Effective date: 20021023

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: CA, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:051144/0918

Effective date: 20191104